A joint Technical Alert (TA) issued by the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) was updated last week to include indicators of compromise (IOCs) related to a remote administration tool (RAT) dubbed FALLCHILL used by the North Korean government.
The U.S. Government refers to malicious cyber activity conducted by the North Korean government as HIDDEN COBRA.
The IOCs further include IP addresses linked to systems infected with FALLCHILL malware, malware descriptions, and associated signatures, according to the alert (TA17-318A).
HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target organizations in the aerospace, telecommunications, and finance industries.
The alert provides guidance to organizations for suggested response actions to IOCs, mitigation techniques (such as network signatures and host-based rules to detect malicious activity) and how to report incidents.
More information on HIDDEN COBRA has been provided at https://www.us-cert.gov/hiddencobra. Fortinet also released a deep dive analysis of FALLCHILL in a recent blog post as well.